Incoming Messages
PGP Desktop manages incoming mail messages based on the
content of the message. These scenarios assume standalone
PGP Desktop, not in a domain protected by a PGP Universal
server (in which case mail action policies set by your PGP
Universal Server administrator can apply):
Message not encrypted nor signed. PGP Desktop does
nothing to the content of these messages; it simply
passes the message along to your email client.
Message encrypted, but not signed. When PGP Desktop
sees a message coming to you that is encrypted, it will
attempt to decrypt it for you. To do this, PGP Desktop will
check the local keyring for the private key that can
decrypt the message. If the private key is not on the local
keyring, PGP Desktop will not be able to decrypt it; the
message will be passed to your email client still
encrypted. If the private key is on the local keyring, PGP
Desktop will decrypt it immediately if the passphrase for
the private key is in memory (cached). If the passphrase
is not cached, PGP Desktop will prompt you for the
passphrase and decrypt the message when you supply the
correct passphrase. Once a message is decrypted, PGP
Desktop passes it to your email client.
If the PGP Desktop messaging proxy is turned off, PGP
Desktop will not be able to decrypt incoming encrypted
messages; it will pass them along to your email client still
encrypted. It is recommended that you leave your
messaging proxy on all the time if you expect to be
sending and receiving encrypted messages. On is the
default setting.
Message signed, but not encrypted. PGP Desktop will
search the local keyring for a public key that can be used
to verify the signature. If PGP Desktop cannot find the
appropriate public key on the local keyring, it will try to
search for a keyserver at keys.domain (where domain is
the domain of the sender of the message), then the PGP
Global Directory (
https://keyserver.pgp.com), and finally
any other configured keyservers. If PGP Desktop finds
the right public key at any of these locations, it verifies
the signature (or not, if the signature is bad) and passes
the message to your email client annotated with
information about the signature—information is also put
into the PGP Log. If PGP Desktop cannot find the
appropriate public key, it passes the message to your
email client unverified.
Message encrypted and signed. PGP Desktop goes
through both of the processes described above: first
finding the private key to decrypt the message and then
finding the public key to verify the signature. However, if
a message cannot be decrypted, then it cannot be verified.
If PGP Desktop is unable to either decrypt or verify a message,
you might want to consider contacting the sender of the
message. If the message could not be decrypted, make sure
the sender was using your real public key. If the message
could not be verified, ask the sender to publish their key on
the PGP Global Directory — older PGP versions or other
OpenPGP products can access the web version of this
directory at PGP Global Directory (
https://keyserver.pgp.com) ,
or ask them to send their public key to you directly by email.
Note: PGP Desktop only encrypts by default to keys that are
known to be valid. If you did not get a key from the PGP
Global Directory, you may need to verify its fingerprint with
the owner and sign it for it to be used.
Outgoing Messages
Email messages that you send can be encrypted, signed, both,
or neither. Because you probably have different combinations
for different recipients or email domains, you need to create
policies for all of your outgoing email message possibilities.
Once correct policies are in place, your email messages are
protected automatically and transparently.
If you are in a PGP Universal Server-managed environment,
your PGP Desktop policies are controlled by the policies
specified by your PGP Universal Server administrator. Your
administrator may also have specified how to handle outgoing
email messages if the PGP Universal Server is not available.
These policies are called offline (or local) policies.
Default Policies
PGP Desktop Email includes four default policies:
Mailing List Admin Requests. Administrative requests to
mailing lists are sent in the clear; that is, not encrypted
or signed.
Mail List Submissions. Submissions to mailing lists are
sent signed (so they can be authenticated) but not
encrypted.
Require Encryption: [PGP] Confidential. Any message
flagged as confidential in your email client or containing
the text “[PGP]” in the subject line must be encrypted to a
valid recipient public key or it will not be sent. This policy
gives you a way to easily handle messages that must be
sent encrypted or not sent at all.
Opportunistic Encryption. Specifies that any message
for which a key to encrypt cannot be found should be sent
without encryption (in the clear). Having this policy as
the last policy in the list ensures that your messages will
be sent (unless you flag the message as Confidential),
albeit in the clear, even if a key to encrypt it to the
recipient cannot be found.
Creating New Policies
PGP Desktop Email includes the ability to create and use new
policies in addition to the four default policies. You can create
policies based on a wide variety of criteria. If you are using
PGP Desktop Email in a PGP Universal Server-managed
environment, your messaging policies and other settings may
be controlled by your organization’s PGP administrator.
For complete information about how to create and implement
messaging policies, see the PGP Desktop User’s Guide.
4